_ = require 'underscore'

module.exports = (permission) ->
  (req, res, next) ->
    unless req.query.access_token
      return res.json 400, error: "require access_token"
    if req.session.error
      return res.json 400, error: req.session.error
    if permission and ! _.contains req.session.permissions, permission
      return res.json 400, error: 'You dont have the permission'
    next()